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Executive summary 


Audit Methodology 


The Information Commissioner is responsible for enforcing and promoting compliance with data protection 
legislation, as well as the Freedom of Information Act 2000 (FOIA) and the Environmental Information Regulations 
2004 (EIR). Section 47 of the FOIA provides provision for the Commissioner to assess whether a public authority is 
following good practice, including compliance with the requirements of this Act and the provisions of the codes of 
practice under sections 45 and 46. 


The ICO is an independent, proportionate regulator and sees auditing as a constructive process with real benefits 
for public authorities and so aims to establish a participative approach. High standards of compliance with the 
relevant legislation can help public authorities maintain the trust and confidence of the public. 


Following engagement with the ICO, the Environment Agency (EA) agreed to a consensual audit of its compliance 
with the FOIA. An introductory telephone meeting was held on 3 July 2023 with representatives of the EA to 
discuss the scope of the audit. 


The purpose of the audit is to provide the Information Commissioner and the EA with an independent assurance of 
the extent to which the EA, within the scope of this agreed audit, is complying with FOIA and EIR requirements. 
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It was agreed that the audit would focus on the following area: 


Freedom of Information The extent to which the information handling practices of the EA, within the scope of this 
(FOI) agreed audit, conform with the codes of practice under sections 45 and 46 of the FOIA. 


Audits are conducted following the Information Commissioner's audit methodology. The key elements of this are a 
desk-based review of selected policies and procedures, remote interviews with selected staff, and a virtual review 
of evidential documentation. 


Where weaknesses were identified recommendations have been made, primarily around enhancing existing 
processes to facilitate compliance with freedom of information legislation. In order to assist the EA in 
implementing the recommendations each has been assigned a priority rating based upon the risks that they are 
intended to address. The ratings are assigned based upon the ICO's assessment of the risks involved. The EA's 
priorities and risk appetite may vary and, therefore, they should undertake their own assessments of the risks 
identified. 


Audit Summary 


There is a reasonable level of assurance that processes and 
procedures are in place and are delivering FOI compliance. 
The audit has identified some scope for improvement in 
existing arrangements to reduce the risk of non-compliance 
with the FOIA. 


Freedom of Information 


*The assurance rating above is reflective of the remote audit methodology deployed and the rating may not necessarily represent a 
comprehensive assessment of compliance. 
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Priority Recommendations 


All scope areas 
Breakdown of priority recommendations 


m Low 
= Medium 
m High 
m Urgent 


3 


Freedom of Information 


The bar chart above shows a breakdown of the priorities assigned to our recommendations made as part of this 


audit. There are three urgent priority recommendations, eight high priority recommendations, two medium priority 
recommendations and one low priority recommendation. 
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Graphs and Charts 
Freedom of Information 
Assurance Rating Summary 
= High 
= Reasonable 


= Limited 


= Very Limited 


The pie chart above shows a summary of the assurance ratings awarded. 32% high assurance, 20% reasonable 
assurance, 28% limited assurance, 20% very limited assurance. 
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Areas for Improvement 


e The EA is not complying with statutory timescales for responding to FOI and EIR requests. It was evident to 
ICO auditors that improving the EA's timeliness in responding to FOI and EIR requests is a priority of the EA. 


e The EA does not have adequate governance oversight of its FOI/EIR related activities. Through establishing 
and maintaining strong FOI/EIR leadership and oversight, clearly documenting policies, reporting lines and 
responsibilities, and ensuring effective information flows will help the EA to comply with their statutory 
obligations. 


e Where the EA works in partnership with other organisations there is a lack of documented governance 
arrangements in relation to the handling of requests and/or the management of records. This could impact the 


timeliness of the EA to respond to FOI and EIR requests and result in a breach of FOI/EIR regulations. 


e The EA's publication scheme does not include all the information recommended by the ICO. 


e The EA is not meeting the training needs of all new and existing staff in relation to FOI and EIR. Training and 
awareness are key to the EA satisfying statutory requirements. 


e Some staff do not have the necessary management support, capacity or allocated time to meet their FOI/EIR 
obligations. This could result in a breach of FOI/EIR regulations. 
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Disclaimer 
The matters arising in this report are only those that came to our attention during the course of the audit and are 
not necessarily a comprehensive statement of all the areas requiring improvement. 


The responsibility for ensuring that there are adequate risk management, governance and internal control 
arrangements in place rest with the management of the Environment Agency. 


We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to 
any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it 
arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot 
accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining 
from acting as a result of any information contained in this report. 


This report is an exception report and is solely for the use of the Environment Agency. The scope areas and 
controls covered by the audit have been tailored to the Environment Agency and, as a result, the audit report is 
not intended to be used in comparison with other ICO audit reports. 
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